The next question is key length. We recommend to choose the highest value
which is 4096:

RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048) 4096Requested keysize is 4096 bits

Next, you need to specify the validity period of your key. This is something
subjective, and you can use the default value which is to never expire:

Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n yearsKey is valid for? (0) 0Key does not expire at all

Confirm that the answers you gave were correct by typing y:

Is this correct? (y/N) y

Enter you real name, the email address to be associated with this key (should
match a verified email address you use in GitLab) and an optional comment
(press Enter to skip):

If you don't want to type the -S flag every time you commit, you can tell Git
to sign your commits automatically:

git config --global commit.gpgsign true

Verifying commits

Within a project or merge request, navigate to
the Commits tab. Signed commits will show a badge containing either
"Verified" or "Unverified", depending on the verification status of the GPG
signature.

By clicking on the GPG badge, details of the signature are displayed.

Revoking a GPG key

Revoking a key unverifies already signed commits. Commits that were
verified by using this key will change to an unverified state. Future commits
will also stay unverified once you revoke this key. This action should be used
in case your key has been compromised.

To revoke a GPG key:

On the upper right corner, click on your avatar and go to your Settings.

Navigate to the GPG keys tab.

Click on Revoke besides the GPG key you want to delete.

Removing a GPG key

Removing a key does not unverify already signed commits. Commits that were
verified by using this key will stay verified. Only unpushed commits will stay
unverified once you remove this key. To unverify already signed commits, you need
to revoke the associated GPG key from your account.

To remove a GPG key from your account:

On the upper right corner, click on your avatar and go to your Settings.